Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

January 7th, 2011, 08:23 GMT · By

Microsoft Postpones Patching of Two Critical 0-Day Vulnerabilities

SHARE:

Adjust text size:


Microsoft not very concerned about 0-day vulnerabilities
Enlarge picture
Microsoft announced that it doesn't plan to patch two publicly known 0-day vulnerabilities in Internet Explorer and Windows during this month's Patch Tuesday.

Next week, on January 11, the Redmond software giant is scheduled to release its monthly batch of security bulletins, however, it will leave out some of the most serious issues.

One of the two bulletins announced for next Tuesday affects only Windows Vista and is rated as Important, while the other affects all supported Windows versions and has a severity rating of critical.

On the other hand, these bulletins will not cover an actively exploited vulnerability affecting Internet Explorer 6, 7 and 8 on all Windows flavors.

Identified as CVE-2010-3971, the flaw consists of an use-after-free memory error in the mshtml.dll library and can be exploited to execute arbitrary code remotely.

Moreover, in the later half of December, a group called Abysssec Security Research announced a reliable exploit for this vulnerability that bypasses the DEP and ASLR protection mechanisms in Windows.

According to Carlene Chmaj, senior response communications manager with Microsoft's Trustworthy Computing Group, targeted attacks exploiting this vulnerability have already been spotted in the wild.

However, to the dissatisfaction of many security researchers, Microsoft does not rush out patches if the threat is not widespread. The company provides mitigation solutions for this flaw in Security Advisory 2488013.

A second critical vulnerability that will remain unpatched is located in the Graphics Rendering Engine and affects all Windows versions except Windows 7 and Server 2008 R2.

This flaw was disclosed as a zero-day at a security conference in Korea last month and was confirmed by Microsoft earlier this week in Security Advisory 2490606.

In addition, there could be another unconfirmed 0-day vulnerability in Internet Explorer, disclosed by Google security researcher Michal Zalewski at the beginning of this year.

TELL US WHAT YOU THINK:

1,198 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Microsoft Warns of Publicly Disclosed Critical Windows Vulnerability
Internet Explorer Possibly Hit by New Zero-Day Vulnerability
Exploit Code Released for New IE 0Day Vulnerability
Upcoming Patch Tuesday Won't Fix IE Zero-Day

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use